A record DDoS attack that targeted financial services companies and telcos involved waves of attacks from compromised ASUS home routers – likely exploited at scale through a critical vulnerability, CVE-2024-3080.
That’s according to Cloudflare, which said that it has been tackling a “month-long campaign of hyper-volumetric L3/4 DDoS attacks” targeting customers globally – and originating from devices around the world.
The security, storage, and content distribution network firm mitigated over 100 “hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps)” it said.
The largest attack peaked at 3.8 Tbps – the highest ever disclosed.
The motivation for the attacks and actor behind them were not disclosed. Large-scale DDOS attacks have, in the past, served to act as cover/a distraction for other more subtle attacks by threat groups.
Record DDOS attack: UDP mostly used
The attacks predominantly leverage UDP on a fixed port said Cloudflare in a blog on the attacks, published on October 2: “The high packet rate attacks appear to originate from multiple types of compromised devices, including MikroTik devices, DVRs, and Web servers, orchestrated to work in tandem and flood the target with exceptionally large volumes of traffic.
“The high bitrate attacks appear to originate from a large number of compromised ASUS home routers” said its researchers, suggesting that these were likely compromised via CVE-2024-3080; a CVSS 9.9-rated pre-authentication RCE vulnerability in a range of ASUS Routers reported by Censys in June – when some 157,000 routers were publicly exposed.
Cloudflare said its systems automatically mitigated the attacks, detailing how it uses anycast to spread traffic across its network and adding that “sampling traffic and dropping bad packets is the job of our l4drop component, which uses XDP (eXpress Data Path) and leverages an extended version of the Berkeley Packet Filter known as eBPF (extended BPF). This enables us to execute custom code in kernel space and process (drop, forward, or modify) each packet directly at the network interface card (NIC) level. This component helps the system drop packets efficiently without consuming excessive CPU resources on the machine…”
See also: CTO to CISO: Christine Bejerasco on generative AI, and the "loneliness" of security
Whilst on this occasion the compromised devices were used to launch huge DDOS attacks, similar previous mass-compromise of routers or other network-attached devices has also notably been used by nation state-backed threat groups as command and control (C2) infrastructure.
CISA and the NSA warned in June 2022 for example that Chinese APTs were hacking primarily Cisco small office/home office routers, as well as other Network Attached Storage devices to use them as “additional access points to route command and control traffic and act as midpoints to conduct network intrusions on other entities” in a complex campaign.
Last year, meanwhile, Check Point identified a highly unusual malware campaign also compromising home routers, believed also to be linked to a Chinese APT using the newly discovered “Horse Shell” implant.
That is malware tailored to abuse TP-Link home router firmware and compiled for MIPS32-based operating systems (used in networking equipment like modems, routers, switches) that gives three capabilities.
- Remote shell — Execution of arbitrary shell commands on the infected router
- File transfer — Upload and download files to and from the infected router.
- SOCKS tunneling — Relay communication between different clients.
Unusually, every communication by the Horse Shell implant is encrypted using a custom or modified encryption scheme based on Substitution-Permutation Network; Check Point was clear that it had no idea what the hackedrouters were being used for but said “let’s not mince words – the code quality is impressive, and the implant’s ability to handle multiple tasks across a range of modules and structures demonstrates the kind of advanced skills that make us stand up and take notice…”